On Mon, Jan 30, 2012 at 02:31:15AM +0100, Marco d'Itri wrote:
> On Jan 30, Adam Borowski <kilob...@angband.pl> wrote:
> > It would be nice to have some documentation about how lxc is different from
> > them, and how to work around bugs and limitations. I for one spent ~10
> Let's start with this: in its current form, it is not designed to
> protect the host system from an untrusted root user in a guest.
> So far lxc is nice for testing, but not much more.
> http://blog.bofh.it/debian/id_413
This example shows nothing new. If you have CAP_SYS_MOUNT, you can also
just mount the root filesystem into your own tree.
Linux-VServer does not help against processes with too much
capabilities, not sure about OpenVZ.
> > * how to execute a command in a running VM? lxc-execute complains that the
> Lack of something like VE_ENTER also makes it unsuitable for me.
ssh works.
> AFAIK there is still no way to attach a process to an existing cgroup,
You need execve to change most cgroups.
Bastian
--
We Klingons believe as you do -- the sick should die. Only the strong
should live.
-- Kras, "Friday's Child", stardate 3497.2
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120203113103.ga16...@wavehammer.waldi.eu.org
